Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

[Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

This thread has been viewed 48 times
  • 1.  [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted Apr 29, 2020 10:30 AM
      |   view attached

    Attached is a PDF on how to configure Clearpass authentication using EAP-TEAP, also known as EAP-Chaining.

     

    Environment:

    Device: Windows 10 Insider Preview 2004 build 19613.

    CPPM: 6.9.0

     

    EAP-TEAP (RFC: 7170) Abstract:

       This document defines the Tunnel Extensible Authentication Protocol
       (TEAP) version 1.  TEAP is a tunnel-based EAP method that enables
       secure communication between a peer and a server by using the
       Transport Layer Security (TLS) protocol to establish a mutually
       authenticated tunnel.  Within the tunnel, TLV objects are used to
       convey authentication-related data between the EAP peer and the EAP
       server.

     

     

    EAP-TEAPv1 allows for the User and Machine to authenticate during the same session. This will make User + Machine authentication much more graceful.

     

    Instead of relying on the Machine authentication cache in CPPM, you will get the authentication status on the first authentication attempt of both the User and Machine.

    NOTE: My original post disappeared for some reason without notice, so I'm posting again. If I have violated a forum rule somehow please let me know.

    Attachment(s)

    pdf
    ClearPass_EAP-TEAP.pdf   388 KB 1 version


  • 2.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted May 11, 2020 11:39 PM

    Very interesting, thanks for sharing!

    I can see it being extremely useful in 802.1X (using EAP-TLS) , transitioning from wired to WLAN.



  • 3.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted May 11, 2020 11:53 PM

    No problem. EAP-TEAP is a game changer. 

     

    I should also note that I worded my notes poorly around identity privacy. You shouldn't ever "untick" the box. It is an important security precaution so the username is not sent in plaintext. 

     

    I will update the doc when I'm near my computer. 



  • 4.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted May 13, 2020 10:18 AM

    So what is the behaviour with TEAP if the client pc is not logged in? Then its only a computer authentication?

     

    When it logs in, you get a computer and user authentication?



  • 5.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted May 13, 2020 10:20 AM

    Yes. The User method will be blank. In that regard you will handle it the same as previous EAP methods.



  • 6.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted May 01, 2021 07:12 AM
    While this does work, it will not allow me to get any info from LDAP.
    The %{Authentication:username} inside LDAP querires doesn't seem to work with TEAP.

    ------------------------------
    Ricardo Duarte
    ------------------------------



  • 7.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted May 02, 2021 06:17 AM
    Ok, I was able to overcome this issue.

    One thing I'm missing with TEAP:
    - Is it possible to make a query to get the groups the machine is member of?

    The TEAP-Method-1-Username is "host/MACHINE.fqdn", and I can't match that with any attribute inside AD. Any way to get it to show as MACHINE$ ?

    Thanks.

    ------------------------------
    Ricardo Duarte
    ------------------------------



  • 8.  RE: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining)

    Posted 9 days ago
    hi all,

    i face the same problem that TEAP cannot authorized AD machine group

    ------------------------------
    Ivan Yeung
    ------------------------------